Setting Up an SFTP Server on Debian Bullseye for Backups

Slug: sftp

Tags: aid>linux

18807 characters 2617 words

This guide will walk you through setting up an SFTP (SSH File Transfer Protocol) server on your Debian Bullseye system, specifically tailored for an arm64 Rockchip rk3588 machine. The goal is to enable efficient and secure file transfers from local devices (like iPhones, Android phones, laptops) to your Debian machine for backup purposes.

We will use openssh-sftp-server, which is a component of the openssh-server package. Installing openssh-server from the Debian repositories will provide a modern and secure version of the SFTP server (typically OpenSSH 8.x on Bullseye; the “10” sometimes mentioned in discussions usually refers to a desire for a modern version rather than a specific package name). This guide assumes there is no active firewall on the Debian host machine.

While this guide uses standard Debian procedures applicable to any arm64 system, the RK3588 is a capable SoC. For most SFTP backup tasks, performance should be adequate. If you encounter performance bottlenecks with extremely large files or high-frequency transfers, system-level tuning (e.g., I/O schedulers, network stack parameters) might be explored, but this is beyond the scope of this basic setup guide.

#1. Update Your System

Ensure your Debian system is up-to-date. Open a terminal and execute:

sudo apt-get update sudo apt-get upgrade -y

#2. Install openssh-server

SFTP service is provided by openssh-server. If it’s not already installed (Debian server editions usually include it), install it:

sudo apt-get install openssh-server -y

The sftp-server executable is typically located at /usr/lib/openssh/sftp-server and is configured as a subsystem in the SSH daemon configuration.

#3. Verify SSH Service and Configuration

The SSH service (sshd) should start automatically after installation. You can check its status:

sudo systemctl status sshd

Or simply:

sudo systemctl status ssh

Ensure the SFTP subsystem is enabled in the SSH configuration file (/etc/ssh/sshd_config). It usually is by default. Look for a line similar to this:

Subsystem sftp /usr/lib/openssh/sftp-server

If you need to modify /etc/ssh/sshd_config (e.g., to change the port or apply security hardening), restart the SSH service afterwards:

sudo systemctl restart sshd

#4. Creating a User for SFTP Access

SFTP uses system users for authentication. It’s good practice to create a dedicated user for SFTP access, especially if you want to restrict their capabilities or jail them to a specific directory (chroot). For simple backup purposes to a user’s home directory, an existing user can also be used if preferred.

To create a new user (e.g., backupuser) with a home directory and prevent shell login (SFTP access only):

sudo useradd -m backupuser -d /home/backupuser -s /usr/sbin/nologin # Or, for a more restrictive shell that also allows SFTP: # sudo useradd -m backupuser -d /home/backupuser -s /bin/false sudo passwd backupuser # Set a strong password for this user

This user (backupuser) will be able to log in via SFTP and will be initially placed in their home directory (/home/backupuser). Files backed up will go here unless the client navigates elsewhere (permissions permitting).

Permissions for Backup Target: Ensure the user has write permissions to their backup target directory.

  • Home Directory: The -m option with useradd creates the home directory (e.g., /home/backupuser) and sets basic ownership for backupuser.
  • Dedicated Backup Location (e.g., a mounted drive): If you prefer to back up to a different location like /mnt/backups_volume/my_device_backups, ensure backupuser has appropriate permissions:
    sudo mkdir -p /mnt/backups_volume/my_device_backups sudo chown backupuser:backupuser /mnt/backups_volume/my_device_backups sudo chmod 700 /mnt/backups_volume/my_device_backups # Gives backupuser full rwx, no access for others

    You would then instruct the user or configure backup clients to use this specific path after SFTP login.

#5. Firewall Considerations (Information Only)

As per your requirements, this guide assumes no firewall is active on the host Debian machine.

If you were to enable a firewall (e.g., UFW) on the Debian machine at a later time, you would need to allow traffic on the SSH port (default is 22):

# Example for UFW if it were active: # sudo ufw allow 22/tcp # sudo ufw reload

Since no host firewall is assumed for this guide, no action is needed here. Also, be aware of any firewalls on your router or other network devices if connecting from outside your immediate LAN.

#6. Ensure SSH Service is Enabled to Start on Boot

To ensure the SSH service starts automatically when your machine boots:

sudo systemctl enable sshd # or sudo systemctl enable ssh

The service is likely already enabled if it was installed as part of the system or via apt.

#Finding Your Server’s IP Address

To connect to your SFTP server, you’ll need its IP address on your local network. On your Debian server terminal, you can find it using one of these commands:

hostname -I # or ip addr show

Look for an IP address associated with your network interface (e.g., eth0, wlan0), typically in a format like 192.168.x.x or 10.x.x.x.

#Get Information of the SFTP Server

This script helps gather relevant information about your openssh-server and SFTP setup. Save it as a .sh file, make it executable (chmod +x scriptname.sh), and run it with sudo ./scriptname.sh.

#!/bin/bash # Script to gather and display OpenSSH SFTP server information on Debian Bullseye echo "Gathering OpenSSH SFTP server information..." echo "--------------------------------------------" # --- General System & Service Info --- IP_ADDRESSES=$(hostname -I 2>/dev/null | sed 's/ *$//g' || echo "IP addresses not found") SSH_SERVICE_STATUS=$(systemctl is-active sshd 2>/dev/null || systemctl is-active ssh 2>/dev/null || echo "Status not determinable or service inactive") PKG_VERSION=$(dpkg -s openssh-server 2>/dev/null | grep '^Version:' | awk '{print $2}' || echo "Package version not found") echo -e "\n**General System & Service Info:**" echo -e " System IP Addresses: $IP_ADDRESSES" echo -e " OpenSSH Service Status (systemctl): $SSH_SERVICE_STATUS" echo -e " OpenSSH Server Package Version (dpkg): $PKG_VERSION" # --- SSH Configuration --- SSHD_CONFIG_FILE="/etc/ssh/sshd_config" echo -e "\n**SSH Configuration ($SSHD_CONFIG_FILE):**" if [ -f "$SSHD_CONFIG_FILE" ]; then PORT=$(grep -iE "^Port\s" "$SSHD_CONFIG_FILE" | awk '{print $2}' | tail -n 1) [ -z "$PORT" ] && PORT="22 (default)" echo -e " Listening Port (from config): $PORT" SFTP_SUBSYSTEM=$(grep -iE "^Subsystem\s+sftp" "$SSHD_CONFIG_FILE" | tail -n 1) if [ -n "$SFTP_SUBSYSTEM" ]; then echo -e " SFTP Subsystem Config: $SFTP_SUBSYSTEM" else echo -e " SFTP Subsystem Config: Not explicitly found or commented out (sftp might still work via internal default)." fi PASSWORD_AUTH=$(grep -iE "^PasswordAuthentication\s" "$SSHD_CONFIG_FILE" | awk '{print $2}' | tail -n 1) if [ -n "$PASSWORD_AUTH" ]; then echo -e " Password Authentication: $PASSWORD_AUTH" else echo -e " Password Authentication: Not explicitly set (defaults to yes, unless overridden by other settings like PubkeyAuthentication only)." fi CHALLENGE_RESPONSE_AUTH=$(grep -iE "^ChallengeResponseAuthentication\s" "$SSHD_CONFIG_FILE" | awk '{print $2}' | tail -n 1) if [ -n "$CHALLENGE_RESPONSE_AUTH" ]; then echo -e " ChallengeResponseAuthentication: $CHALLENGE_RESPONSE_AUTH" else echo -e " ChallengeResponseAuthentication: Not explicitly set (defaults to yes, but behavior can depend on PAM)." fi USE_PAM=$(grep -iE "^UsePAM\s" "$SSHD_CONFIG_FILE" | awk '{print $2}' | tail -n 1) if [ -n "$USE_PAM" ]; then echo -e " UsePAM: $USE_PAM" else echo -e " UsePAM: Not explicitly set (defaults to yes on Debian)." fi else echo " $SSHD_CONFIG_FILE not found." fi # --- Listening Ports (from ss) --- echo -e "\n**Actual Listening Ports (from ss):**" LISTENING_SSH_PORTS=$(ss -tlpn 2>/dev/null | grep 'sshd' | awk '{print $4}' | sed 's/.*://' | sort -u | tr '\n' ' ' | sed 's/ *$//g') if [ -z "$LISTENING_SSH_PORTS" ]; then LISTENING_SSH_PORTS="sshd process not found listening or ss command issue." fi echo -e " sshd listening on port(s): $LISTENING_SSH_PORTS" # --- SFTP User Information (example 'backupuser') --- SFTP_USER="backupuser" # Change if you used a different username echo -e "\n**SFTP User Information (Example: '$SFTP_USER'):**" if getent passwd "$SFTP_USER" >/dev/null 2>&1; then FTPUSER_EXISTS_MSG="User '$SFTP_USER' exists." FTPUSER_HOME_DIR=$(getent passwd "$SFTP_USER" | cut -d: -f6) FTPUSER_SHELL=$(getent passwd "$SFTP_USER" | cut -d: -f7) echo -e " Status of '$SFTP_USER': $FTPUSER_EXISTS_MSG" echo -e " Home Directory for '$SFTP_USER': $FTPUSER_HOME_DIR" echo -e " Shell for '$SFTP_USER': $FTPUSER_SHELL (Note: /usr/sbin/nologin or /bin/false is common for SFTP-only users)" else echo -e " User '$SFTP_USER' not found in /etc/passwd. (Create this user or use an existing one)." fi echo -e " Password for SFTP User: [This cannot be retrieved. Use the password you set for the system user '$SFTP_USER'.]" echo "--------------------------------------------" echo "Script finished." echo "Note: For detailed logs, check 'sudo journalctl -u sshd' or '/var/log/auth.log'."

#Connect Local Devices to the Debian SFTP Server

The primary goal is to back up files from various devices. SFTP is widely supported. Many client operating systems also offer scripting capabilities (e.g., shell scripts with sftp or rsync on Linux/macOS, PowerShell on Windows) and some third-party backup applications on mobile/desktop can use SFTP as a target for scheduled backups.

General Connection Details You’ll Need:

  • Host/Server IP Address: The IP address of your Debian rk3588 machine (see “Finding Your Server’s IP Address” above).
  • Username: The user you created or designated for SFTP (e.g., backupuser).
  • Password: The password for that user.
  • Port: 22 (the default SSH/SFTP port, unless you changed it in sshd_config).

#1. Connecting from Windows using FileZilla

  • Install FileZilla: Download and install the FileZilla Client if you haven’t already.
  • Launch FileZilla.
  • Quickconnect:
    • Host: Enter your Debian server’s IP address (e.g., 192.168.1.100).
    • Username: backupuser (or your chosen username).
    • Password: The user’s password.
    • Port: 22.
    • Click Quickconnect. (Alternatively, for the Host field, you can type sftp://192.168.1.100; FileZilla will parse the protocol and host).
  • Trust SSH Host Key: The first time you connect, FileZilla will show a warning about an unknown host key. This is normal. Verify the fingerprint if possible (advanced), or click OK or Trust to save the host key and continue.
  • Transfer Files: Use the left pane (Local site) for your Windows files and the right pane (Remote site) for your Debian server. Drag and drop files/folders to the backupuser’s target backup directory on the server.
  • Using Site Manager (Recommended for frequent connections):
    1. Go to File > Site Manager.
    2. Click New Site, name it (e.g., “Debian Backup Server”).
    3. Protocol: Select SFTP - SSH File Transfer Protocol.
    4. Host: Your Debian server’s IP.
    5. Port: 22.
    6. Logon Type: Normal.
    7. User: backupuser.
    8. Password: The user’s password (or choose “Ask for password” or set up key-based authentication).
    9. Click Connect.

#2. Connecting from macOS

  • Finder:
    1. Open Finder.
    2. Go to Go > Connect to Server… (Cmd+K).
    3. In the Server Address field, type: sftp://backupuser@YOUR_SERVER_IP_ADDRESS (e.g., sftp://backupuser@192.168.1.100).
    4. Click Connect. You’ll be prompted for the password.
    5. The SFTP location will mount like a regular drive.
  • Terminal (Command Line sftp):
    sftp backupuser@YOUR_SERVER_IP_ADDRESS # Example: sftp backupuser@192.168.1.100

    You’ll be prompted for the password. Use commands like put local_file remote_file, get remote_file local_file, ls, cd, etc.

  • Third-party Apps: Cyberduck, Transmit, ForkLift are popular SFTP clients for macOS.

#3. Connecting from Linux Desktops

  • File Manager: Most Linux desktop environments (GNOME, KDE, XFCE) allow connecting to SFTP shares directly from their file managers (e.g., Nautilus, Dolphin, Thunar). Look for “Connect to Server” or similar options in the file menu or sidebar, and use sftp://backupuser@YOUR_SERVER_IP_ADDRESS as the address.
  • Terminal (Command Line sftp): Same as macOS:
    sftp backupuser@YOUR_SERVER_IP_ADDRESS

#4. Connecting from iOS (iPhone/iPad)

You’ll need an app that supports SFTP. Some popular choices:

  • Secure ShellFish (Recommended): A powerful SSH and SFTP client.
  • Termius: Also offers SSH/SFTP capabilities.
  • FE File Explorer: File Manager
  • The built-in Files App can sometimes access SFTP locations if another app provides an SFTP extension.

In the chosen app, you’ll typically add a new server/connection and input the Host IP, username, password, and port (22).

#5. Connecting from Android

Many file manager apps on Android support SFTP, or you can get dedicated SFTP clients:

  • Solid Explorer File Manager (has SFTP plugin/support).
  • FX File Explorer (has SFTP support).
  • MiXplorer (free, powerful, supports SFTP - often found outside Play Store, e.g., XDA).
  • Termux (for command-line sftp if you prefer).

Similar to iOS, you’ll add a new SFTP connection in the app using your server’s IP, username, password, and port 22.

#Advanced Backup Tip: Using rsync for Efficiency

For more efficient backups, especially for large files or repeated backups, consider using rsync over SSH. rsync only transfers the differences between files, saving time and bandwidth.

Example rsync command (run on the client machine):

rsync -avz --progress /path/to/local/source/directory/ backupuser@YOUR_SERVER_IP_ADDRESS:/path/to/remote/backup_destination/
  • -a: Archive mode (preserves permissions, ownership, timestamps, etc.).
  • -v: Verbose output.
  • -z: Compress file data during transfer.
  • --progress: Show progress during transfer.
  • Trailing slash on source: /source/directory/ copies the contents of the directory. Without it, /source/directory would copy the directory itself into the destination.

You’ll be prompted for the backupuser’s password unless you’ve set up SSH key-based authentication.

#Security Best Practices for SFTP

  • Strong Passwords: Use strong, unique passwords for all user accounts that have SSH/SFTP access.
  • Key-Based Authentication (More Secure): For significantly better security, disable password authentication and use SSH key pairs. This involves generating a key pair on the client, copying the public key to ~/.ssh/authorized_keys on the server for the user, and then setting PasswordAuthentication no in /etc/ssh/sshd_config on the server.
  • Regular Updates: Keep your openssh-server package updated:
    sudo apt-get update sudo apt-get upgrade
  • Minimize User Privileges: The backupuser created with /usr/sbin/nologin cannot get an interactive shell, which is good. Only grant write permissions to directories where backups are intended.
  • Chroot Jail (Advanced): To restrict an SFTP user to only their home directory (or another specific directory) and prevent them from seeing the rest of the server’s filesystem, configure a chroot jail. This involves changes in /etc/ssh/sshd_config. Add or modify the following at the end of /etc/ssh/sshd_config:
    Match User backupuser ChrootDirectory /home/backupuser # Or your designated chroot path ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no

    Important Chroot Directory Permissions:

    1. The ChrootDirectory path itself (e.g., /home/backupuser) and all its parent components must be owned by root and not writable by any other user (e.g., permissions 755 or rwxr-xr-x).
      # Example if /home/backupuser is the ChrootDirectory sudo chown root:root /home/backupuser sudo chmod 755 /home/backupuser
    2. Create a subdirectory inside the chroot for the user to write to, and give the SFTP user ownership of this subdirectory:
      sudo mkdir /home/backupuser/uploads # Or any name like 'files', 'backups' sudo chown backupuser:backupuser /home/backupuser/uploads sudo chmod 755 /home/backupuser/uploads # Or 700 if only user needs access

      After making changes to sshd_config, restart the SSH service: sudo systemctl restart sshd.

  • Monitor Logs: Check SSH logs for suspicious activity: sudo journalctl -u sshd or examine /var/log/auth.log.

#Troubleshooting Common SFTP Issues

  1. Connection Refused:
    • SSH Service Not Running: Ensure sshd is active on the server: sudo systemctl status sshd. Start it if needed: sudo systemctl start sshd.
    • Incorrect IP Address or Port: Double-check the server’s IP and that you’re using port 22 (unless you’ve changed it).
    • Network Connectivity: Ensure your client device is on the same network as the server and can reach it (try ping YOUR_SERVER_IP_ADDRESS from a client that supports ping).
  2. Authentication Failed / Permission Denied (Password):
    • Incorrect Username or Password: Verify credentials carefully. Linux passwords are case-sensitive.
    • User Account Issues: Ensure the user account exists, is not locked, and has a valid password set on the server.
    • Check /var/log/auth.log on the server for more detailed error messages.
  3. Permission Denied (File Transfer):
    • Directory Permissions: The SFTP user needs write permissions for the target directory on the server. Use ls -ld /path/to/target_directory on the server to check permissions. Use sudo chown backupuser:backupuser /path/to/target_directory and sudo chmod u+rwx /path/to/target_directory as needed (adjust group/other permissions as necessary).
    • Chroot Issues: If you’ve set up a chroot, ensure permissions inside and for the chroot directory are correct as detailed in the “Chroot Jail” section. This is a common point of failure.
  4. Host Key Verification Failed / Changed Host Key:
    • This usually happens if the server’s SSH host key has changed (e.g., after an OS reinstall) or if you’re connecting to a different server that happens to have the same IP address as a previous one.
    • Most SFTP clients allow you to remove the old host key for that IP address and accept the new one. For command-line sftp or ssh, you might need to edit ~/.ssh/known_hosts on the client machine and remove the line corresponding to your server’s IP.
URL: https://ib.bsb.br/sftp